Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-09-2021 05:23 AM
Have an Active/Active deployment, single firewall at each DC with EVPN/VXLAN through Juniper cores. Can we have the HA-3 link go through the core switches? We are using daa plane interfaces for HA-2, HA-2B, and HA-3. We have the vlans stretched across to the other data center for the HA-2 and HA-3 links and jumbo frames enabled. I need to verify if the HA-3 link can operate properly through EVPN/VXLAN or do we need a direct connection. I ask because normally for HA-2 I would just use ethernet as the trasnport but had to use IP even though the vlans are stretched.
Also, for session setup I normally use IP Modulo but PAN config guide states First Packet is recommended.
Thanks!
03-09-2021 05:59 AM
It is supported across switches as long as the switch has jumbo frames configured, which you say you have, although I would suggest that it is not really the best scenario, first packet would minimise traffic across the HA3 link which is always preferable, and in fact is the best staring point before doing any performance tuning.
Remember Force VR sync and Qos sync as appropriate.
03-09-2021 05:59 AM
It is supported across switches as long as the switch has jumbo frames configured, which you say you have, although I would suggest that it is not really the best scenario, first packet would minimise traffic across the HA3 link which is always preferable, and in fact is the best staring point before doing any performance tuning.
Remember Force VR sync and Qos sync as appropriate.
03-09-2021 06:42 AM
Is there a way to determine if HA-3 is actually layer 2 prior to cutover? I assume I can look at the arp tablein the Palo and the switches.
03-09-2021 07:27 AM
It will be a dedicated Layer2 interface so shouldn't be anything else, you would be able to check for the MAC on the switch for the interfaces though
03-09-2021 08:53 AM
Thanks! Don't know why I said arp table for layer 2..What would explain the need for HA-2 to require an IP transport with an IP address. I did one with OTV and did not require IP transport. I am not a VXLAN expert but would assume if it is true layer 2 I could use transport ethernet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
